New Fortnite vulnerabilities put users' privacy at risk
Researchers at security firm Check Point have uncovered vulnerabilities in the popular online game Fortnite that would allow attackers to intercept and steal Fortnite users’ login credentials without them being aware of the theft.
The attack manipulates Fortnite's login process to capture usernames and passwords. Armed with these details attackers could view any data stored in the game, buy more V-Bucks in-game currency at users' expense, and access all the user’s in-game contacts as well as listen in on and record conversations taking place during game play.
To fall victim to this attack a player needs only to click on a crafted phishing link coming from a genuine Epic Games domain, which makes the link appear legitimate. Once clicked, the user's Fortnite authentication token could be captured by the attacker even without the user entering any login credentials.
"Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy," says Oded Vanunu, head of products vulnerability research for Check Point. "Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability."
Check Point has notified Epic Games of the vulnerability which has now been fixed. Check Point and Epic Games advise all users to remain vigilant whenever exchanging information digitally, and to practice safe cyber habits when engaging with others online. Users should also question the legitimacy of links to information seen on user forums and websites.
You can read more on the Check Point blog and there's a video explaining how the vulnerability works below.